Using NW6.5 SP5/OES SP2

Universal password is enabled, but we do not use password self-service.

We would like to set up some "sub-admins" that can change user passwords.
What are the minimum rights needed to a container in order to change user
passwords within the container?

Thanks